Two Ways to Pickpocket Google Wallet Emerge

Even with Google Wallet's built-in identity theft protections, you still need to be wary of hackers.

The electronic wallet sector has generated a lot of hype. Google Wallet and ISIS - which is ramping up - offer the extravagant prospect of using near-field communications (NFC) technology embedded or attached to mobile devices to replace payment cards. Swipe your phone at the reader and away you go.

It's all predicated, of course, on the system being secure. On one hand, it's easy to argue that the current use of payment cards is breathtakingly insecure. Reading all your information to a customer service representative who may be copying it down for delivery to crackers hardly seems prudent. It also seems unlikely that the security for traditional in-store purchases is any better.

But that doesn't matter, since those procedures are ensconced. They are not going anywhere soon, if ever. eWallets are new, however, and thus must meet a higher standard.

Things are not going too well on that front. Google Wallet - the one of the two in release - has been poked and prodded and the results are troubling. Late last year, a site called xdadevelopers offered a brief post suggesting that hijacking somebody's Google Wallet account is as easy as one, two, three, four:

1) Go into application settings

2) Clear data for Google wallet

3) Open wallet and set it back up

4) Everything remaining on your Google prepaid card can now be used

This process can be done by somebody who steals or finds a phone, of course. A site called the Smart Chimp has a video demonstrating how it is done. I'm not linking to it because, as one commenter pointed out, they don't seem to have credited those who uncovered the flaw.

A second problem was reported this week. Researcher Joshua Rubin, working off an examination done late last year by ViaForensics, found that the four-digit PIN number can be cracked. Neil Rubenking at PCMag does a good job of explaining, and Rubin offers his own explanation and a video as well. A four-digit PIN is translated into a code. (This is called one-way encryption or hashing, Rubenking said.) The PIN can't be reconstructed from the hash that is created. An app simply uses the same hashing algorithm on what somebody trying to gain access types. If what is stored and what is typed are identical, access is granted.

Wrote Rubenking:

What Rubin realized is that hashing isn't effective when the number of possible originals is small. There are only 10,000 possible values for a PIN consisting of four numeric digits. He quickly whipped up a Google Wallet Cracker program that would check all 10,000 against the stored hash, revealing the correct PIN.

Essentially, there are at least two ways to break into Google Wallet on the table. More undoubtedly are on the horizon. The bottom line is obvious: Google and its vendors need to fix this quickly, and ISIS needs to make sure its infrastructure is safe.

Google has a long and storied history of bringing out products and services that liberate funds from other people's wallets.

Take Google AdWords - for years, Google refused to acknowledge the magnitude of click fraud (fake or fraudulent clicks on Google PPC ads), instead saying that it was simply a "small percentage" of clicks. Yet outside experts estimated click fraud was as high as 30% in the early days of AdWords...and to this day, Google has never provided their fraud data to an outsider for review. To this day, I suspect click fraud ranges from 2% to 20%, depending on the ad and the country targeted.

SO, instead of people stealing all the money in your Google Wallet, they could just take some of your dollars out. Pretty outrageous when you think about it, but Google has somehow skated by without public criticism.